Haproxy: When using TLS everywhere, use verifyhost for the balancermembers

This checks that the subjectAltName in the backend server's certificate matches the server's name that was intended to be used. Change-Id: If1c61e1becf9cc84c9b18835aef1eaaa8c0d4341
author: Juan Antonio Osorio Robles <jaosorior@redhat.com> 2017-04-18 14:49:09 +0300
committer: Juan Antonio Osorio Robles <jaosorior@redhat.com> 2017-04-18 14:51:03 +0300
commit: c372d01a9427d65ae44063adf68c78748770eac4 (patch)
tree: 320d8d0e17654b4e73d8c68ffc083afba765146a /manifests/haproxy.pp
parent: 7567c71e4780b3508b752efe99f5215094f2c141 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index a6bd1eb..d497056 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -718,6 +718,9 @@ class tripleo::haproxy (
 
   if $enable_internal_tls {
     $internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
+    Haproxy::Balancermember {
+      verifyhost => true
+    }
   } else {
     $internal_tls_member_options = []
   }
author	Juan Antonio Osorio Robles <jaosorior@redhat.com>	2017-04-18 14:49:09 +0300
committer	Juan Antonio Osorio Robles <jaosorior@redhat.com>	2017-04-18 14:51:03 +0300
commit	c372d01a9427d65ae44063adf68c78748770eac4 (patch)
tree	320d8d0e17654b4e73d8c68ffc083afba765146a /manifests/haproxy.pp
parent	7567c71e4780b3508b752efe99f5215094f2c141 (diff)